Candy Crush Is a Fun Game… Let’s Hack It

January 29, 2013

I noticed a bunch of my friends were playing a game called “Candy Crush”. I’m not much of a gamer nor do I have time to waste on games, but I had to see what the hype was all about. I mean, this game went viral and I want to know what they did right. So I played it. It certainly is fun. I played it for 6 days and reached level 105. Cool, but there are currently 305 levels and I don’t wish to waste any more time on this game. I got curious, so I started logging tcp packets sent back and forth to king.com through the flash client. I found a few interesting bits of information.

Second thing I noticed, the flash client polls https://candycrush.king.com/api/poll and GETs a JSON encoded string with some interesting data: {“currentUser”:{“userId”:XXXX,”lives”:1,”timeToNextRegeneration”:1780,”gold”:0,”unlockedBoosters”:[],”soundFx”:true,”soundMusic”:true,”maxLives”:5,”immortal”:false, “mobileConnected”:true}}
This data tells your client who you are, how many lives you have, sound settings, max lives….. and immortal? Woah. It appears the good folks at King have a secret setting called “immortal” (which of course defaults to false). How does one set “immortal” to true? Well, you can get creative. The idea is to deceive your browser and send it phony data. One possible solution is to add an entry to your hosts file or nameserver and point to an alternate server. Another method is to run a MITM attack on yourself and create a custom filter that alters the number of lives, number of max lives, and your immortal status. In case you haven’t noticed, it’s an encrypted request. So how would we bypass that? Well, ettercap can re-sign the packet with its own SSL cert (which would trigger a browser warning) but you can simply add the certificate to your exceptions list. All you need to do is edit /etc/etter.conf and uncomment the appropriate lines for your operating system. Since I am using Linux, I uncomment:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

and I set:
ec_uid = 0
ec_gid = 0

The third thing I noticed while running a MITM attack on an Ipad was that the mobile app version does not use SSL when calling the API. That makes it even easier to hack than the facebook app.

Finally, the simplest way to hack Candy Crush (or any other Flash based software) is to tamper with the data in memory. There is a nifty little tool that you can use for this: scanmem. On Ubuntu, you can simply run sudo apt-get install scanmem to install it. To explain scanmem, it’s a dumbed down version of a hexadecimal editor that allows you to scan/locate/modify areas in memory used by a local process. It reminds me of the 90’s when I used to crack copy protection from video games armed with nothing but a debug and zipzap (or gdb and hexedit on linux). The reason why I say it’s dumbed down is because it does all the difficult tasks for you. I can walk you through the cheating process.
1) get the PID for your browser/flash player. If you use firefox: ps aux |grep flash should return the process ID.
2) run scanmem sudo scanmem
3) select the process from scanmem’s prompt: pid [process ID]
4) pinpoint the section of memory that contains the bit of data you are looking for. If you are trying to give yourself more moves on a certain level, take a look at the number of moves you have left, and enter it in the prompt. For example, if you have 30 moves left, enter 30 at the prompt. It will likely find way too many matches to be useful. But that’s okay because scanmem tracks each of these memory locations for you. Make another move on the game so you have 29 moves left. Now return to the scanmem prompt and enter 29. The number of matches will reduce. Repeat the process until it returns 2 matches. Now you’ve pinpointed it!
5) change the value in memory. At the prompt, you type: set 200 and it will give you 200 lives.
6) reset scanmem. If you’re trying to track a different value or the number of moves on a different level, simply type: reset.

(before running the hack)
(after running the hack… note the number of moves left)

Yes. It’s that simple. Back in the 90’s, I would have a notebook full of addresses that I considered “areas of interest” and use the process of elimination to pinpoint the right value. *sigh. Kids these days have it easy. If you’re planning on hacking candy crush, this might prove useful:
– number of moves: 2 matches
– bomb timers: 2 matches per bomb
– score: 4 matches
– checklists: 1 match (but not the value they show you on the screen. The game shows you the number of matches you have left to pass the level. In memory, it is stored as the number of items you have already destroyed: [Number of items needed to pass]-[Number of items you have left])

Like this:

Related

Hi Alvin, although I haven’t inspected the packets closely, it appears everything is sent via standard http (80). I was only really investigating the flash version of candy crush. It might be worth a closer look.

Hi really interesting hack trough flash player anyways is there any way using similar method that I can reset my candy crush facebook progress to start all over again ??? Please some one let me know thanks alot

Hey man nice guide can i please ask if you can give me a fast explanation on how i can change my user data by using my facebook id so that i may change the resourses my profile owns and i would be identified from the games server with much higher resourses 🙂 Thank you in advance here is my facebook http://www.facebook.com/dolcepanna2012/ please PM me 🙂 Thank you again

simple answer is, you can’t. There are a couple tricks to bypassing it. One is to use an ettercap filter and drop SSL encryption altogether. The second is to issue a separate SSL cert as the man in the middle. Both methods are, however, very detectable.

I didn’t know about scanmem ! It’s nice.
Also, I’m surprised noone else seem to have “hacked” Candy Crush – maybe the players are not the kind of people who know about iptables, ssl, ettercap, and other goodies 😀

I’m more interested in hacking the mobile app, I might setup a squid server as a transparent proxy, to mangle the JSON requests.
Meanwhile I have successfully played with scanmem to increase the number of moves, but I did not succeed in increasing the number of lives, maybe it’s because there is server communication between each death and that moves the number of lives in memory, so scanmem can’t find it.

Hi… While playing Candy crush in Tablet it does not give much boosters and benefits…
At my workplace Facebook is open for all but games on FB are blcoked. Can you help me how to unblock candycrush on FB.

Many thanks for tutorial ! It works great in Linux Mint 14 ,too 😉
I have a problen though, I made it work to get more moves left on a level, but I cant seem to make it work to get more time on time limited levels, like , by example 189 !

This post is great! My nephew used to play the game, and asked if it was possible to get “unlimited lives” one day. I realized quickly that the games clock settings were based on the local clock…the same security level used by Microsoft in releasing their “trial” software back in the 90s. 🙂
All I had to do was kill the game process and set the local clock ahead by a few hours. Start the game. Don’t play just yet though…go back to local clock and reset it to local time. You now had 3 fresh lives, with no time constraints, and your local clock is always correct,
Needless to say my nephew was over the moon when I taught him how to repeat the process.
When he turned around and asked me if we could make our own “computer game” together, I was the one over the moon.
Teach a kid to code!